[163990] in North American Network Operators' Group
Re: .biz DNSSEC borked
daemon@ATHENA.MIT.EDU (jamie rishaw)
Sat Jun 22 15:10:31 2013
In-Reply-To: <51C5F0D8.3050706@tomt.net>
Date: Sat, 22 Jun 2013 14:10:10 -0500
From: jamie rishaw <j@arpa.com>
To: Andre Tomt <andre-nanog@tomt.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
confirmed
None of the 5 DNSKEY records could be validated by any of the 2 DS records
The DNSKEY RRset was not signed by any keys in the chain-of-trust
biz has SOA record a.gtld.biz. hostmaster.neustar.biz. 12161960 900 900
604800 86400 (BOGUS (security failure)) validation failure <biz. SOA IN>:
no keys have a DS from 156.154.127.65 for key BIZ. while building chain of
trust
tcp: biz has SOA record a.gtld.biz. hostmaster.neustar.biz. 12161960 900
900 604800 86400 (BOGUS (security failure)) validation failure <biz. SOA
IN>: no keys have a DS from 156.154.127.65 for key BIZ. while building
chain of trust
On Sat, Jun 22, 2013 at 1:45 PM, Andre Tomt <andre-nanog@tomt.net> wrote:
>
> Seems the entire .biz tld is failing DNSSEC validation now.
> All of my DNSSEC validating resolvers are tossing all domains in .biz.
The non-signed domains too of course because trust of the tld itself cannot
be established.
>
> http://dnssec-debugger.verisignlabs.com/nic.biz
>
